Signalling System Number 7 (SS7) is used between mobile networks to enable various functions including: supporting voice interconnection; roaming mobility management; and internetwork Short Message Service (SMS). SS7 was developed before the Internet age, where large, normally state-owned organisations, ran telephone networks. Little time was spent protecting the protocols from abuse as it was thought that the barriers to entry were sufficiently high to protect networks. Mobile networks typically use SS7 to pass information about roaming customers, ensuring that such customers can register on networks and receive their calls or text messages.
With the introduction of Internet Protocol (IP) as an alternative transport layer, SS7 is now much more available to those who would want to abuse it. Examples of this abuse that impact customers and the network include:                HLR lookup—for example see http://gateway.txtnation.com/solutions/networklookup/numberqueries/num berlookup?ads=google&ppc=globalhlr;        location tracking—for example see http://www.washingtonpost.com/business/technology/for-sale-systemsthat-can-secretly-track-where-cellphone-users-go-around-theglobe/2014/08/24/f0700e8a-f003-11e3-bf76-447a5df6411f_story.html;        Anti-Steering of Roaming (A-SoR), which tries to overcome a network operator's ability to direct their roaming customers to a preferred network operator, increasing costs for customers and has been banned by GSMA (see http://pctelecoms.blogspot.co.uk/2010/04/anti-sor-activities-banned-bygsms-barg.html); and        badly (or maliciously) designed Machine-to-Machine (M2M) systems—these solutions have sent SS7 traffic into networks, but with no associated financial payment.        
One problem with detecting fraudulent use of SS7-based application protocols is that the number of abusive signalling messages may be small within the mass of legitimate traffic. Some types of traffic can be identified as illegitimate, especially where the attacker's aim is to extract customer information from the network and there are existing approaches to protect against malicious such traffic. However other types of illegitimate behaviour may be more difficult to detect, as a range of unusual, but legitimate types of signalling are also identifiable.
A particular concern is where an attacker's aim is to disrupt the network, or send undesirable information into the network, such as sending fraudulent SMS traffic towards subscribers. In these cases, the attacker will hide their identity by ‘spoofing’ (mimicking or imitating) all originating addresses used in the SS7 protocols. Detecting such traffic, where its originator may be difficult or even impossible to identify and the type of traffic is often similar to legitimate forms of signalling behaviour remains challenging.